I introduced the concept of the “human paradox” in my book Into the Breach. In the process, I realized that a security breach -- however you define it -- is only a symptom:

“The problem is that people have been unintentionally—but systematically—disconnected from the consequences of their decisions. As a direct result, they do not take responsibility and are not held accountable. Treating a breach as the problem only makes this worse."

We’re at an inflection point. The nature of breaches, the impacts, how they get reported. It’s all changing. And that’s a good thing.

Part of the shift requires ending our bias for breach prevention. Our bias for breach prevention is causing blind spots. It’s a natural response to the questions that come with a breach announcement. People demand to know how it happened. Why it happened. And why it wasn’t prevented.

That leads to a call to “do something, anything” so this doesn’t happen again. That creates a trap. Inertia frees up funding and support for solutions that promise to prevent breaches.

This isn’t a call to abandon prevention. But the bias for prevention frequently excludes the necessary focus on detection and response.

We’re growing tired of cagey answers after a breach. Every attack wasn’t sophisticated, complex, or unprecedented. Companies concerned about lawsuits and public image adopted an approach to suggest they weren’t at fault. It often devolves into “victim shaming.” Plenty of post-breach analysis suggesting all the things the victim company did wrong.

A new trend is emerging. Smaller companies are leading a more transparent effort to explain the breach. They share what happened. They provide details. They explain what they learned. They offer insight and provide confidence that it mattered.

It demonstrates the importance of detection and response. The companies that detect problems and respond appropriately gain favor. Minimally, they don’t seem to suffer.

A breach is not inevitable. All hope is not lost. The opportunity is for the organization to anticipate breach (read more here).

The word ‘anticipate’ is the focus. Anticipation carries a connotation of preparedness. It is a positive, favorable concept. It replaces my previous assertion of “assume breach” -- which I cast and twisted into a positive by way of questions.

The way to anticipate breach is to ask questions. Start high level. Stay functional and focus on mutual understanding. Don’t worry about technical considerations until later. They can wait.

This is a dialogue. An opportunity to explore. To learn together.

It’s not about offering quick answers. Even if you think you know the answer. This isn’t a time to lead with solutions.

Start with a basic question. Then bring it back to basic questions that start a conversation about prevention, detection, and response. But work in a different order. Start with detection. The next few panels help get the ball rolling.

The easiest way to get started is to ask, “what happens when breach happens?”

Don’t be surprised if you ask and the first answer is “nothing.” Or a shrug and puzzled look. We spent a lot of time in security exploring and understanding threats. We know attackers explore and exploit just about anything they can get their hands on. This is your chance to do the same (read more about how here).

This is a chance to learn. Find out how the system/solution works. Explore what would create problems. Investigate how you could evidence that. What is the signal to look for? What is the damage? Are there steps we can take?

This question applies to everyone. Ask the business what they’d look for. Explore the options available to you.

Speed counts. Accuracy counts more. Consider the difference between an alert and a confirmation. The key is building the capability that detects when something goes wrong… without increasing the burden on your team.

Hidden in this question is figuring out how quickly you need to detect something wrong.

This is about appropriateness. What is the best response? Based on the ideal, how well do you do today? What changes get you closer to the ideal?

Based on the range of things that happen, consider how to map who needs to be involved. Figure out how to coordinate before, during, and after the response. Build in the time and effort to rehearse scenarios. Learn and work together.

In the series of prevention, detection, and response, I ask this question last. Most focus on prevention, and bringing it up early tends to place focus on the wrong things. Once a clearer picture of detection and response emerges, ask about prevention.

Take the time to explore how the preventative controls work. Question if they are providing the results expected. Even better is measuring the value.

Is your prevention actually protecting the right things? If not, then perhaps some adjustments are in order. Maybe it offers insights where to focus detection efforts.